Secure & best practice of file & folder sharing between laptops & PCs

I'm drafting something for IT guys if they want to share their files/info within the team
& we don't have SharePoint currently.

For sure, passwords & sensitive info like payslips must not be shared this way.

Besides sharing out explicitly using NTFS permissioning (I think this is equivalent of
using icacls), what other measures should we undertake?

a) is a network share  (ie Windows  'net share sharename=c:\myfolder' ) encrypted?
b) how can we prevent domain admins from accessing the information/file/folder?
c) should we set up firewall rules to permit only ppl within same team (say
    netadmins) to access the share?  But we have an issue in that some of the
    PCs are on DHCP (ie non static IP)
d) any other measures?
sunhuxAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
Even the NTFS permission is a huge chunk to ensure not only access right but be role based (security group like Department or Job) specific to determine who can (identity assigned) and to what resource (file & folder) with what permission given (right mgmt. if poss otherwise ACL using least privileged to do the job)- you can catch it here https://technet.microsoft.com/en-us/library/cc780313(v=ws.10).aspx

one problem faced with file shares which is not about ACL or having right mgmt. enforced in document but it is the manageability of "Folder Spread" - multiple folder and file created at root folder overloads not only the system resource of indexing but also hard to track security activities
and in fact make it easier for Ransomware to spread to all folder and files from the root by enumerating for each file server instance. We need to limit exposure assuming the event infection or malware start to propagate and jump from server to server to spread infection. So practice is for
- root folder (administrator, read only root-level folder)
-- "horizontal" folder mgmt  with logical restricted no of child folder (limit to max 10 folders and each is based on unique department purpose)
-- "vertical" folder/file mgmt. to limit to the file path not to be more than the 255 char naming length (do not advocate too deep of folder as data can be lost easily when it is missed out for backup of targeted backup of certain data type, it reduce the file I/O access too)

Consider
- Have an overall access matrix to chart the security assignment to the file shares (as the resource)
- Be able to mapped to the central security group and user assigned as well as the file share in the authorized system.
- Have audit trails for access enabled
- Separate critical or time sensitive folder out into other server or mapped into other drive.
- Differentiate between classified and non-classified information and further restrict access to public access (enterprise level) and private (dept, team, user level)
- Set permission once the folder access level is determine to separate read-only and working (writable)within the mapped shares
- Avoid over segregation of folder such as "folder spread" and minimize the depth of folder with limited path name (use easily interpreted naming to determine its purpose)

I heard of the use of decoy folder purpose to make the Ransomware work hard such that it keep enumerating into the sub-folder - in a sense lost in the maze - such that alert of such anomalous access can be trigger centrally for quick response...
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Disk level Encryption will not work as the share will be un-encrypted over the share.
use groups for share permissions and get granular with ntfs permissions
domain admins are by definition local admins so even a deny for domainadmins group can be overridden easily.
c cannot be done easily.

you could use winzip / winrar /7zip to encrypt the files and only the users that should have permissions have the password
0
 
sunhuxAuthor Commented:
is it a good practice to use Windows Firewall to permit PCs of specific IP range to access
as in our case, our IT dept uses a specific range of DHCP IP while users of each dept
uses different range.

What's the Tcp & Udp ports used by Windows "net share " & can we customize these
ports to use some other ports (just like some Ssh server, Ftp server can be made to
listen on different ports).

So when data is copied over from a Windows Network share, it's not encrypted?
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
sunhuxAuthor Commented:
> - Have audit trails for access enabled
Could point me to a link which give instructions on enabling audit trail/logging if a shared
folder or file(s) are being accessed (copied, read, edited & deleted)?

> classified and non-classified information
So admin passwords (of servers, domain admin, firewalls etc) should not be shared, while network diagrams,
IP address list is classified while documents meant for corporate-wide viewing (say Security Policy) is non-
classified?

> use of decoy folder purpose to make the Ransomware work hard
We have quite a number of ransomware attacks, so will be nice to elaborate this
0
 
btanConnect With a Mentor Exec ConsultantCommented:
A PDF guide that provides step-wise instructions to enable auditing on file server and track every changes into real time - http://www.lepide.com/guide/enable-file-folder-access-auditing.pdf

Classification is based on context and owner discretion to the level of protection. There should be level of classification amd guidance on classifying information and not a wild guess. Thise ip address and network diagram are unique to your enterpriae and should be treated with strict confidence esp when it is wide enterprise used. Everyone in enterprise access does not means it is non classified. They are different matter in fact it is even more pertinent to emphasis to treat these corporate info as privileged info.

A good read on tje anti Ransomware strategy include decoy files and recursive folder
Another way of impeding ransomware was proposed on the Free Forensics blog. This method involves setting up infinitely-recursive directories by taking advantage of certain features of the Windows file system. Ransomware that attempts to traverse the file system to locate the files it needs to encrypt will get stuck in such a sinkhole, giving the victim the opportunity to react to the infection.
https://zeltser.com/detect-impede-ransomware/
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
So when data is copied over from a Windows Network share, it's not encrypted? It can be if using SMB 3.0. The default is not encrypted since it has considerable overhead
https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx

The ports are fixed (port 445) and defined by IANA
0
 
btanExec ConsultantCommented:
To add on classification for enterprise wide info, they can be only for internal reading and not public access so rightfully, it should be classified as Restricted minimally. Security policy is classified as Restricted in that sense. If there is need to share classified info, the advice is to declassified and sanitised before sharing with external parties esp the contractor. Otherwise, strict handlibg must be authorised and oversee by the enterprise staff.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.